Network system enabling transmission control

ABSTRACT

A network system capable of preventing the leakage of a confidential file by an inadvertent act of a transmitting party and capable of meeting the requirement for an arbitrary file format is disclosed. A label indicating a security level (“confidential” or “unclassified”) is attached to the file in a client terminal, which transmits the labeled file outside. A transmission management program on a gateway server checks the label of the file, and in the case where the security level is “unclassified”, transmits the file to an external network. Also, a label management program manages the labeled file in the client terminal.

BACKGROUND OF THE INVENTION

[0001] The present invention relates to a technique for preventing theconfidential information handled in an organization or the like fromleaking outside.

[0002] The electronic data handled in an organization or the likecontain lots of confidential information. On these electronic data, theword “confidential” is written in the documents intentionally to informthe viewers that the particular data are confidential. The confidentialdata are thus prevented from leaking outside by making the viewersconscious of the importance of leaking the data outside. Sometimes,however, the confidential data may be inadvertently or intentionallytransmitted outside by mail. To cope with this problem, the serversearches the mail contents using a keyword to check whether a presetkeyword (“confidential”, for example) is contained in the mail. In thecase where the keyword is not contained in the mail, the mails aretransmitted as they are while in the case where the keyword is containedin the mail, the transmission is suspended.

[0003] Some confidential information can be accessed only by executivesof an organization. In order to prevent the confidential informationfrom being accessed by unauthorized personnel, the information flow canbe controlled to make the particular confidential informationinaccessible from other than the executives by attaching a forcibleaccess control function.

[0004] For detailed information on the forcible access control, refer tothe reference (TCSEC) “Department of Defense Trusted Computer SystemEvaluation Criteria” DOD 5200.28-STD.

[0005] On the other hand, U.S. Pat. No. 5,940,591 discloses a techniquefor realizing a multi-level security in the network environment.

[0006] Also, JP-A-8-204701 discloses a method of preventing theconfidential information from leaking to third parties by transmittingthe information in encrypted form.

[0007] The system for preventing the information leakage based on thekeyword search is effective for specified data formats, but noteffective for other data formats and an image file containing no textinformation.

[0008] In a computer equipped with the mandatory access controlfunction, the information flow can be controlled sufficiently as long asthe data stay within the particular computer. Once the data transfers toanother computer, however, the security level of the data, which isdependent on the transferee computer, cannot be easily guaranteed. Also,the computer having the mandatory access control function is oftenutilized for special applications and unable to be used forgeneral-purpose applications. The use of such computer, therefore,hardly extends to unclassified companies and organization.

[0009] U.S. Pat. No. 5,940,591 described above poses such problems as:(1) the access control is provided for each user but not for each file,and (2) the requirement for making inquiry at a security manager eachtime of transmission results in a heavy load.

[0010] In the case where data are transmitted in encrypted form, on theother hand, the data are encrypted at an employee's terminal, andtherefore the employee is required to be informed which data isconfidential. As a result, the confidential data may be inadvertentlytransmitted without being encrypted.

SUMMARY OF THE INVENTION

[0011] The present invention provides a technique for preventing theconfidential information of an organization from being transmittedinadvertently by an employee in charge of data transmission.

[0012] The invention further provides a system capable of using thetechnique described above with an arbitrary data format.

[0013] The invention further provides a technique whereby the securitylevel (“confidential” or “unclassified”) of data is maintained in thedata transfer within an organization and is usable for an arbitrary dataformat.

[0014] Specifically, additional information indicating the attribute ofthe information proper (data body) is attached to the information proper(data body), and the transmission and receipt of the information properare controlled using the particular additional information.

[0015] More specifically, a label (additional information) indicatingthe attribute is attached to each data body (information proper), sothat the data with the label are handled within the organization. Theattribute includes a security level (“confidential” or “unclassified”),for example. In the case where the data are transmitted outside, thislabel is checked by a transmission control program on a gateway server,which decides whether the data can be transmitted outside or not, and inthe case where the data is transmissible outside, removes the label fromthe data and transmits the data body outside. On the other hand, thegateway server that has received a data body from outside attaches alabel to the data body and transmits the data to the address in theorganization.

[0016] At a terminal used by a user, a label may not be attacheddirectly on the data body but the security level information of eachdata may be written in another file. In the case where the data body istransmitted from a client terminal, a label indicating the securitylevel of the data body is attached by referring to the file and thelabeled data is transmitted.

[0017] By attaching a signature to the label, the chance of illegalalteration of the label is reduced while at the same time making itpossible to identify the party who has set the security level.

[0018] According to the invention, there is also provided a techniquefor preventing the illegal alteration or destruction of the label by thebug of an application program or a device driver or the operating erroron the part of the user. Specifically, a multi OS (operating system)control technique is used to execute two operating systems in such amanner that one operating system is made available for use by the userwhile the other operating system is exclusively used for labelmanagement.

[0019] According to this invention, as compared with the US patentdescribed above, (1) the access to each data can be controlled by anaccess control list, and (2) since the access control list is locatedwithin each user terminal, no inquiry is required each time.

[0020] Other objects, features and advantages of the invention willbecome apparent from the following description of the embodiments of theinvention taken in conjunction with the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

[0021]FIG. 1 is a diagram showing the whole network system according tothe invention.

[0022]FIG. 2 is a diagram showing a label format.

[0023]FIG. 3 is a flowchart for performing of opening a file.

[0024]FIG. 4 is a diagram showing a process management list.

[0025]FIG. 5 is a flowchart for performing the process of reading from afile.

[0026]FIG. 6 is a flowchart for performing the process of writing into afile.

[0027]FIG. 7 is a flowchart for performing the process of writing a fileinto removable media.

[0028]FIG. 8 is a flowchart for performing the process of reading a filefrom removable media.

[0029]FIG. 9 is a flowchart for performing the process of transmitting afile onto a network.

[0030]FIG. 10 is a flowchart for performing the process of changing thesecurity level.

[0031]FIG. 11 is a flowchart for performing the process of checking thelabel at a gateway server.

[0032]FIG. 12 is a diagram showing a format of a security level controllist.

[0033]FIG. 13 is a flowchart for performing the process of writing afile into removable media according to a second embodiment of theinvention.

[0034]FIG. 14 is a diagram showing a structure of a labeled fileaccording to a third embodiment of the invention.

[0035]FIG. 15 is a flowchart for performing the process of writing intoa file according to the third embodiment of the invention.

[0036]FIG. 16 is a flowchart for performing the process of receiving afile at a client terminal.

[0037]FIG. 17 is a flowchart for performing the process of checking thelabel at a gateway server according to the third embodiment of theinvention.

[0038]FIG. 18 is a diagram showing a configuration of a client terminalof a network system according to this invention using two operatingsystems.

DESCRIPTION OF THE EMBODIMENTS

[0039] The disclosures of all articles and references, including patentdocuments, mentioned in the application are incorporated herein byreference for all purposes.

[0040] (First Embodiment)

[0041] A first embodiment of the invention will be explained. Accordingto this embodiment, a label indicating a security level is attached tothe head of the data stored in a file. The information flow iscontrolled using this label information. The contents and the number ofthe security level and the number of level can be set freely for eachsystem. The description that follows refers to two levels including“confidential” and “unclassified”. This label may or may not be attachedto a file depending on the type of the file. No label is attached to thesystem file and the driver file, for example, while the label isattached to an application data file. The manner in which a file with nolabel attached thereto is determined in advance as a system policy.According to this embodiment, any files with no label attached theretoare handled as “unclassified” data at a client terminal.

[0042]FIG. 1 shows an example of a configuration of the system accordingto this embodiment. At least one client terminal 101, a gateway server118 and a key management server 114 are connected to an in-house network117. Further, the gateway server 118 is connected to an external network121. The client terminal 101 includes a CPU 113, a memory 102, amagnetic disk 106, a network I/F 112 and an external storage unit 122.The memory 102 has loaded thereon a label management program 109, a filesystem driver 104, a disk driver 105, a protocol driver 110, a networkadaptor driver 111, an application program 103 and a security levelchange program 108. Each of these programs is operated under the controlof an operating system (OS).

[0043] A plurality of files 107 are stored in the magnetic disk 106. Theexternal storage unit 122 is a device for reading or writing data fromor into the file 124 in removable storage media (hereinafter referred toas removable media) 123. The external storage unit includes, forexample, a floppy disk drive or a CD-ROM device. A transmissionmanagement program 119 and a receiving management program 120 areoperating in the gateway server 118. The key management server 114includes key information 116 and has a key management program 115operating therein. The client terminal 101 transmits a labeled file ontothe network, and the gateway server 118 checks the label of the labeledfile to determine whether the particular labeled file should betransmitted or not outside.

[0044] Each program in each embodiment may be introduced into the memory102 from the magnetic disk 106, the removable media, or other serversconnected to a network in or outside an organization.

[0045]FIG. 2 shows an example of a label format according to thisembodiment. The label is located at the head of the file 107 and hasinformation of 32 bits (4 bytes). Of the 32 bits, the first two bitsrepresents the version information 201 for the label format, the nextthree bits the security level 202 of the filed 107, the following nextthree bits the settlor level 203 for setting the security level of thefile 107, and the remaining 24 bits the settlor ID 204 who has set thesecurity level of the file 107. The security level 202 includes“unclassified” and “confidential”, and the settlor level 203 includes,for example, “employee”, “group leader”, “section manager” and“department manager”. The format and the size of the label may be variedfrom one organization to another depending on the number of the securitylevels 202, the size of the organization or other information to beadded. The other information includes, for example, the term of validityof the label, the information on the person who has generated the file107 and the access control information (the read-only information,etc.). The access can be controlled using various information other thanthe security level 202.

[0046] The label management program 109 is for managing the label of thefile 107. In the case where the application program 103 accesses thefile 107, the label is removed and data (data body) other than the labelis delivered to the application program 103. In the case where theapplication program 103 transmits the file 107 to the in-house network117 through the network I/F 112, on the other hand, the label managementprogram 109 transmits the file 107 with the label.

[0047]FIG. 3 is a flowchart for performing the process of opening thefile 107 located on the magnetic disk 106. “To open the file” is apre-process making possible the operations including the reading of datain the file or the writing of data in the file.

[0048] In step 301, the application program 103 issues a request foropening the file 107 to the label management program 109 through the I/Omanager of the operating system.

[0049] In step 302, the label management program 109 acquires theprocess ID of the application program 103 through the I/O manager. Theprocess is a unit of executing a program managed by the operating systemand the process ID is defined as an identifier of the process.

[0050] In step 303, the label management program 109 checks the securitylevel 202 of the file 107. In the case where no label is attached to thefile 107, the particular file 107 is determined as an “unclassified”file. Examples lacking the label are a system file and a driver file.

[0051] In step 304, the label management program 109 checks the securitylevel of the application program 103 from the process ID. The labelmanagement program 109 checks the security level of the applicationprogram 103 by referring to the process management list 400 shown inFIG. 4. As of the time point when the file 107 is not yet opened by theapplication program 103, the security level of the application program103 is not yet set.

[0052] The requirements for the security level (the security level ofthe process in execution) of the application program are as follows.Specifically, the application program 103 itself can handle files ofvarious security levels. In the case where confidential files andunclassified files are handled at the same time, the confidentialinformation may be written in an unclassified file (such as cut andpaste). According to this embodiment, this risk is avoided by utilizingthe security level of the process.

[0053]FIG. 4 shows a process management list 400. The first column showsthe process ID 401, the second column the security level 402 of theparticular process (security level of the application program), thethird column the name 403 of the file opened, and the fourth column thesecurity level 404 of the particular file 107. The process managementlist 400 is prepared and initialized by a label management program 109at the time of loading the label management program 109. Also, the labelmanagement list 400 is updated by the label management program 109.

[0054] In step 305, the label management program 109 checks whether thesecurity level 402 of the application program 103 has been set or not,and in the case where it has been set, the process proceeds to step 311,otherwise the process is passed to step 306.

[0055] In step 306, the label management program 109 adds the process IDof the application program 103 to the process management list 400.

[0056] In step 307, the label management program 109 sets the processsecurity level 402 of the application program 103 to the security level202 of the file 107.

[0057] In step 308, the label management program 109 adds the file name403 and the security level 202 of the particular file 107 to the processmanagement list 400.

[0058] In step 309, the label management program 109 transmits a requestto the file system driver 104 to pen the file 107.

[0059] In step 310, the file is successfully opened.

[0060] In step 311, the label management program 109 checks whether thesecurity level 402 of the application program 103 is coincident with thesecurity level 202 of the file 107. In the case where they arecoincident, the process proceeds to step 308, otherwise the processproceeds to step 312.

[0061] In step 312, the label management program 109 displays a messagefor causing the user to determine whether the file 107 is really to beopened or not.

[0062] In step 313, the user decides whether the file 107 is opened ornot. In the case where the user decides to open the file 107, theprocess proceeds to step 314, while in the case where the user decidesnot to open the file 107, the process proceeds to step 315.

[0063] In step 314, the label management program 109 checks whether thesecurity level 402 of the application program 103 is higher than thesecurity level 202 of the file 107. In the case where the security level402 of the application program 103 is higher, the process proceeds tostep 308, otherwise the process proceeds to step 307.

[0064] In step 315, the label management program 109 transmits the openerror message of the file 107 to the application program 103.

[0065] In step 316, the file fails to be open.

[0066] According to this embodiment, the application program 103 canalways open the file 107 depending on the designation by the user. Inthe case where the security level 402 of the application program 103 isnot coincident with the security level 202 of the file 107 in step 311of FIG. 3, however, the process may proceed to step 315 thereby toforcibly reject the file open request.

[0067] Also, at the time of preparing a new file, the user selects thesecurity level 202 of the same file. In the standard setting, thesecurity level 202 of the file is set equal to the security level 402 ofthe application program 103. In the case where the security level 402 ofthe application program 103 is “not yet set”, on the other hand, thehighest “confidential” level is desirably selected.

[0068]FIG. 5 is a flowchart for performing the process of reading datafrom the file 107 according to this embodiment. In this case, anexplanation will be made about a case in which the application program103 reads the byte offset 0×AB00 providing an address from the head ofthe file 107, where 0× indicates a hexadecimal notation.

[0069] In step 501, the application program 103 issues a request to readthe data from the byte offset 0×AB00 of the file 107.

[0070] In step 502, the label management program 103 converts the byteoffset 0×AB00 to the actual byte offset 0×AB04. According to thisembodiment, the file 107 carries the information (label) of four bytes(32 bits) at the head of the file 107. Since the application program 103is not informed of the presence of the label, however, the byte offsetwhich the application program 103 requests to read is required to beadjusted. As a result, according to this embodiment, a value obtained byadding four bytes, i.e. the byte length of the label information to thebyte offset requested by the application program 103 constitutes theactual byte offset.

[0071] In step 503, the file system driver 104 converts the actual byteoffset 0×AB04 to the relative position on the magnetic disk 106.

[0072] In step 504, the disk driver 105 converts the relative positionof the magnetic disk 106 to a physical position and reads the data intothe memory 102.

[0073]FIG. 6 is a flowchart for performing the process of writing thedata in the file 107 according to this embodiment. As an example, anexplanation will be made about a case in which the application program103 writes into a specific byte offset 0×AB00 of the file.

[0074] In step 601, the application program 103 issues a request towrite the data in the byte offset 0×AB00 of the file 107.

[0075] In step 602, the label management program 109 checks the securitylevel 402 of the application program 103 and the security level 202 ofthe file 107.

[0076] In step 603, the label management program 109 checks whether thesecurity level of the application program 103 is coincident with that ofthe file 107. In the case where they are coincident with each other, theprocess proceeds to step 605, otherwise the process proceeds to step604.

[0077] In step 605, the label management program 109 converts the byteoffset 0×AB00 to the actual byte offset 0×AB04. As in the case where theapplication program 103 reads the data of the file 107 as describedabove, a value obtained by adding four bytes to the byte offsetrequested by the application program 103 constitutes an actual byteoffset.

[0078] In step 606, the file system driver 104 converts the actual byteoffset 0×AB04 to the relative position on the magnetic disk 106.

[0079] In step 607, the disk driver 105 converts the relative positionon the magnetic disk 106 to a physical position and transfers the datato the magnetic disk 106.

[0080] In step 604, the label management program 109 changes thesecurity level 202 of the file 107 to the security level 402 of theapplication program 103, and further changes the settlor level 203 andthe settlor ID 204, followed by proceeding to step 605. According tothis embodiment, the security level 202 of the file 107 is changed tothe security level 402 of the application program 103 forcibly in step604. As an alternative, however, a message may be displayed to permitthe user to select the security level 202 of the file 107.

[0081] According to this embodiment, the external storage unit 122 isarranged at the client terminal 101, so that the data can be transferredto another terminal using the removable media 123. As a result, theinformation is liable to leak out through the removable media. Thus, thedata in the removable media 123 is required to be protected from anillegal access from an external source.

[0082]FIG. 7 is a flowchart for performing the process of writing thefile 107 into the removable media 123 according to this embodiment. Inthis case, an explanation will be made about a case in which theapplication program 103 prepares a file 124 anew and the data of thefile 107 is copied to the file 124 thus prepared. The security level ofthe file 124 is set by the application program 103 when the data iswritten in the file 124.

[0083] In step 701, the application program 103 issues a request towrite the data of the file 107 into the file 124 in the removable media123.

[0084] In step 702, the label management program 109 checks the securitylevel 202 of the file 107.

[0085] In step 703, whether the security level 202 of the file 107 is“confidential” or not is checked, and in the case where the securitylevel 202 is “unclassified”, the process proceeds to step 704, while inthe case where the security level is “confidential”, the processproceeds to step 706.

[0086] In the case where the security level 202 is “unclassified”, thelabel management program 109 issues a request to write the data otherthan the label of the file 107 into the file 124 in the removable media123 in step 704.

[0087] In step 705, the write request is received by the file systemdriver 104, and the data of the file 107 is transferred to the removablemedia 123 by the disk driver 105.

[0088] In the case where the security level 202 is “confidential”, anencryption key and a decryption key are generated by the labelmanagement program 109 in step 706. The encryption key and thedecryption key may be identical to each other.

[0089] In step 707, the label management program 109 registers thedecryption key in the key management server 114 and receives anidentifier (ID number, for example) from the key management server 114.

[0090] In step 708, the label management program 109 encrypts the file107 using the encryption key, and prepares an encryption file. Theencryption file includes the ID number and the encrypted data. The IDnumber is added by the label management program 109 at the time ofpreparing the encryption file.

[0091] In step 709, the label management program 109 issues a request towrite the data of the encryption file into the file 124 in the removablemedia 123, and the process proceeds to step 705.

[0092] In the case where the encrypted data in the existing file 124 isupdated, the label management program 109 transmits the ID numbercontained in the file 124 to the key management server 114, and receivesthe encryption key from the key management server 114. The labelmanagement program 109 encrypts the data using the encryption key thusreceived, and writes the encrypted data in the file 124.

[0093]FIG. 8 is a flowchart for performing the process of reading thedata from the file 124 in the removable media 123.

[0094] In step 801, the application program 103 issues a request to thelabel management program 109 to read the data from the file 124 in theremovable media 123.

[0095] In step 802, the label management program 109 issues a request tothe file system driver 104 to read the data from the file 124 in theremovable media 123.

[0096] In step 803, the file system driver 104 receives the readrequest, and the disk driver 105 reads the data from the file 124 in theremovable media 123.

[0097] In step 804, the label management program 109 receives the datathus read out, and checks whether the particular data is encrypted ornot.

[0098] In the case where the data is not encrypted, the process proceedsfrom step 805 to step 806, while in the case where the data isencrypted, the process proceeds to step 807.

[0099] In step 806, the label management program 109 delivers the datato the application program 103.

[0100] In step 807, the label management program 109 reads the ID numberof the file 124.

[0101] In step 808, the label management program 109 transmits the IDnumber of the file 124 to the key management server 114, and receivesthe decryption key for the file 124.

[0102] In step 809, the label management program 109 decrypts theencrypted data using the decryption key, and the process proceeds tostep 806.

[0103] The data for the communication between the client terminal 101and the key management server 114 in step 808 may be encrypted.

[0104] In the case where the data of the file 124 on the removable media123 is copied or transferred to the file 107 of the magnetic disk 106with no label attached to the file 124, the label management program 109attaches the label “unclassified” to the file 124 and stores it in themagnetic disk 106.

[0105]FIG. 9 is a flowchart for the application program 103 performingthe process of transmitting the file to the network 117.

[0106] In step 901, the application program 103 issues a request totransmit the file with a label.

[0107] In step 902, the label management program 109 acquires thesecurity level 202 of the file 107, and converts it to a request totransmit a labeled file. The application program 103 outputs anunlabeled file data as data to be transmitted, and therefore the labelmanagement program 109 converts it to a labeled file.

[0108] In step 903, the protocol driver 110 divides the labeled fileinto packets, and prepares a packet header.

[0109] In step 904, the network adapter driver 111 transmits the file107 outside through a LAN controller.

[0110] Now, the security level change program 108 will be explained. Thesecurity level change program 108 is for changing the security level 202of the file 107. FIG. 10 is a flowchart for performing the process ofchanging the “confidential” file 107 to an “unclassified” file.

[0111] In step 1001, the security level change program 108 issues arequest to change the security level 202 of the file 107 from“confidential” to “unclassified”.

[0112] In step 1002, the label management program 109 acquires thesettlor ID 204 by reading the label of the file 107.

[0113] In step 1003, it is determined whether the settlor ID 204acquired in step 1002 is coincident with the changer ID of the securitylevel 202. In the case of coincidence, the process proceeds to step1004, otherwise the process proceeds to step 1005.

[0114] In step 1004, the label management program 109 changes thesecurity level 202 of the file 107 to “unclassified”, while at the sametime changing the settlor ID 204 and the settlor level 203.

[0115] In step 1005, it is determined whether the changer of thesecurity level 202 is authorized to change the security level 202 ornot. If the answer is affirmative, the process proceeds to step 1004,otherwise the process proceeds to step 1006.

[0116] In step 1006, the label management program 109 delivers an errormessage to the security level change program 108.

[0117] In step 1005, the authorization to change the security level 202means the authorization to change the security level 202 forcibly. Thisauthorization can be set in such a manner that the change is possible inthe case where the level granted an authorized person intending tochange the security level 202 is higher than the settlor level 203 ofthe file 107. Also, it is possible to set the authorization in such amanner that even a person authorized to change the security level 202cannot change the security level 202 of all the files 107unconditionally but may or may not change it depending on the settlor ID204. Alternatively, the policy of the authorization to change thesecurity level 202 may be set dividedly for each organization. Theforegoing description concerns a case in which the security level 202 ischanged from “confidential” to “unclassified”. Nevertheless, three ormore security levels 202, if any, can be reduced by a similar method.

[0118] The security level change program 108 can also increase thesecurity level 202 from the “unclassified” file 107 to the“confidential” file 107. Taking into consideration that the informationleakage can be prevented by increasing the security level 202, anarrangement can be made so that every person can unconditionally performthe operation of increasing the security level 202.

[0119] The transmission management program 119 checks the label of thefile 107 to be transmitted to the external network 121 by the clientterminal 101 and determines whether the particular file 107 is to betransmitted or not. FIG. 11 is a flowchart for performing the process ofchecking the label.

[0120] In step 1201, the gateway server 118 receives the file 107 to betransmitted to the external network 121 from the in-house clientterminal 101.

[0121] In step 1202, the transmission management program 119 decideswhether a label is attached to the file 107 or not.

[0122] In the case where the label is so attached, the process proceedsfrom step 1203 to step 1204, otherwise the process proceeds to step1209.

[0123] In step 1204, the transmission management program 119 checks thesecurity level 202 of the file 107.

[0124] In the case where the security level 202 of the file 107 is“unclassified”, the process proceeds from step 1205 to step 1206,otherwise the process proceeds to step 1211.

[0125] In step 1206, the transmission management program 119 removes thelabel from the file 107.

[0126] In step 1207, the transmission management program 119 transmitsthe file 107 outside.

[0127] In step 128, the file is transmitted successfully.

[0128] In step 1209, the transmission management program 119 determinesthat the file 107 is illegal data, and sends an error message to thetransmitter terminal and the device used by the system manager.

[0129] In step 1210, the file transmission ends in failure.

[0130] In step 1211, the transmission management program 119 sends tothe transmitter terminal a message to the effect that the security level202 of the file 107 is “confidential”.

[0131] In step 1212, the file transmission ends in failure.

[0132] In step 1206, the label is removed in order to follow the policythat the label can be interpreted only for other systems and terminalsto which the system according to this embodiment is introduced.According to this embodiment, therefore, although the label is removedwhen the file is transmitted outside, the label can otherwise be handledas long as other policies are followed.

[0133] Also, according to this embodiment, with regard to the datatransmitted outside of an organization, the label is removed afterdetermining whether the data is to be transmitted to the externalnetwork 121 on the gateway server 118. Therefore, the embodiment can beutilized transparently also for the external network 121.

[0134] Also, the gateway server 118 is provided with a permittedtransmittee list, so that the file 107 can be transmitted to anyexternal transmittee described in the permitted transmittee list even inthe case where the security level 202 is “confidential”. In such a case,the transmission management program 119 encrypts the file 107 andtransmits the file 107 without removing the label. Further, thetransmission management program 119 records the transmitter, thetransmittee and the transmission file in a log. The encryption key isregistered in the key management server 114 in the same manner as in thecase where the file 107 is written in the removable media. The file 107transmitted this way has an ID number and the encryption data.

[0135] Now, an explanation will be given of the process performed in thecase where the gateway server 118 receives the file 107 from theexternal network 121.

[0136] First, the gateway server 118 receives the file 107 transmittedtoward the client terminal 101 from the external network 121.

[0137] Then, the receiving management program 120 attaches the“unclassified” label to the file 107. Also, the settlor ID 204 is set asthe ID for the gateway server 118, and the settlor level 203 is set tothe lowest level.

[0138] After that, the receiving management program 120 transmits thefile 107 to the client terminal 101.

[0139] The receiving management program 120 may have the function ofreceiving the labeled file 107. In such a case, the receiving managementprogram 120, after confirming that the label is attached, transmits thefile 107 to the client terminal 101.

[0140] The authentication can be granted each other between terminals inthe in-house network 117 (between the client terminals 101 or between aclient terminal 101 and the gateway server 118). The authenticationbetween the terminals (101, 118, 114) is carried out by each terminalreferring to a list (the communication permission list) held by it,which describes the MAC (Media Access Control) addresses of theterminals with which communication is permitted by each terminal. Eachterminal can thus be controlled to carry out the communication only witha party whose MAC address (or the IP address) is found in thecommunication permission list. Alternatively, the communication betweenterminals can be permitted based not on the authentication granted byeach terminal but on the authentication determined by an authenticationserver provided for this purpose. In such a case, each terminal conductscommunication with another terminal through the authentication server.Also, the authentication between terminals may be granted using thepublic key encryption system.

[0141] Further, the authentication server may check the labels of allthe files transmitted or received by the client terminal 101 incommunication with the parties in or outside an organization. Withineach organization, the file 107 may or may not be accessible dependingon the title of an employee or the department of the organization towhich the employee belongs. Even in such a case, the information flowcan be controlled by the authentication server checking the labels.

[0142] (Second Embodiment)

[0143] A second embodiment of the invention will be explained. Accordingto the first embodiment, a label indicating the security level 202 ofthe file 107 is attached to the file 107. In the second embodiment, onthe other hand, the information flow is controlled using a securitylevel control list 1400 set in the client terminal 101 without attachingthe label to the file 107 in the client terminal 101, and in the casewhere the file 107 is sent out of the client terminal 101, the label isattached to it. The format of the label attached to the file 107 sentout of the client terminal 101 is similar to that for the firstembodiment.

[0144]FIG. 12 shows the security level control list 1400 according tothis embodiment. The first column represents a file name 1401, thesecond column a security level 1402 of the file 107, the third column asettlor level 1403 of the file 107, and the fourth column a settlor ID1404 of the file 107.

[0145] An explanation will be given of the manner in which theapplication program 103 accesses the file 107 in the magnetic disk 106in this embodiment. Unlike in the first embodiment, the file 107according to this embodiment is not labeled, and therefore the byteoffset requested by the application program 103 is not required to beprocessed. For reading from the file 107, the label management program109 delivers the byte offset requested by the application program 103,directly to the file system driver 104.

[0146] For the operation of writing into the file 107, on the otherhand, the same process as in FIG. 6 is performed except for the byteoffset processing. Specifically, in response to the request of theapplication program 103 to write into the file 107, the label managementprogram 109 checks to see whether the security level 402 of theapplication program 103 is coincident with the security level 202 of thefile 107, and in the case of incoincidence, sets the security level 202of the file 107 forcibly to the security level 402 of the applicationprogram 103, while in the case of coincidence, transmits the request towrite into the file 107 to the file system driver 104.

[0147]FIG. 13 is a flowchart for performing the process of writing datainto the file 107 of the removable media 123.

[0148] In step 1501, the application program 103 issues a request towrite the data of the file 107 into the file 124 in the removable media123.

[0149] In step 1502, the label management program 109 checks thesecurity level 202 of the file 107.

[0150] In step 1503, whether the security level 202 is “confidential” ornot is confirmed, and in the case where the security level 202 is“unclassified”, the process proceeds to step 1504. In the case where thesecurity level 202 is “confidential”, on the other hand, the processproceeds to step 1506.

[0151] In the case where the security level 202 is “unclassified”, thelabel management program 109 issues a request to write the data of thefile 107 into the file 124 in the removable media 123 of the file 107 instep 1504.

[0152] In step 1505, the file system driver 104 receives the writerequest, and the disk driver 105 transfers the data of the file 107 tothe removable media 123.

[0153] In the case where the security level 202 is “confidential”, thelabel management program 109 prepares a labeled file 107 in step 1506.

[0154] In step 1507, the label management program 109 generates anencryption key.

[0155] In step 1508, the label management program 109 registers theencryption key in the key management server 114 and receives an IDnumber from the server.

[0156] In step 1509, the label management program 109 encrypts thelabeled file 107 using the encryption key thereby to prepare anencryption file. The encryption file includes an ID number and encrypteddata. The ID number is added when the label management program 109prepares the encryption file.

[0157] In step 1510, the label management program 109 issues a requestto write the data of the labeled encryption file into the file 124 ofthe removable media 123, and the process proceeds to step 1505.

[0158] According to this embodiment, the data is read from the file 124in the removable media 123 in the same manner as in the firstembodiment, as shown in FIG. 8. Also, in copying or transferring thefile 123 on the removable media 123 to the magnetic disk 106, the labelmanagement program 109 adds the file name 1401, the security level 1402,the settlor level 1403 and the settlor ID 1404 of the file 124 to thesecurity level control list 1400, and thus stores the file 124 in themagnetic disk 106.

[0159] Now, the process of transmitting the file at the client terminal101 according to this embodiment will be explained with reference toFIG. 9.

[0160] In step 901, the application program 103 issues a request totransmit the file 107. According to this embodiment, prior to proceedingto step 902, a step is added for the label management program 109 toacquire the security level 202 of the file 107 and thereby to prepare alabeled file. The subsequent process is similar to that of the firstembodiment, so that the process proceeds to step 902, in which the labelmanagement program 109 converts the transmission request of the file 107to the transmission request of the labeled file 107.

[0161] In step 903, the protocol driver 110 divides the packet andprepares a packet header.

[0162] In step 904, the network adapter driver 111 transmits the file107 outside through a LAN controller.

[0163] Upon generation of a request to delete the file 107, the labelmanagement program 109 transmits a request to delete the file 107 to thefile system driver 104, and after receiving from the file system driver104 a message to the effect that the file 107 has been successfullydeleted, deletes the row of the file 107 from the security level controllist 1400.

[0164] Upon receipt of the file 107 from another client terminal 101 orthe gateway server 118, the label management program 109 checks thelabel attached to the head of the file 107 and registers the labelinformation of the file 107 in the security level control list 1400.After that, the label management program 109 delivers the file 107 tothe application program 103.

[0165] The security level 202 of the file 107 is changed in such amanner that the label management program 109 receives a request tochange the security level 202 of the file 107 from the security levelchange program 108 and then changes the security level control list1400. Specifically, the processing flow shown in FIG. 10 is followedexcept that the security level control list 1400 is used.

[0166] According to the first or second embodiment, the security level202 is set in the file 107 and thereby the information flow can becontrolled in the network.

[0167] (Third Embodiment)

[0168] Now, an explanation will be given of a third embodiment capableof guaranteeing the legitimacy of the label and preventing the illegalalteration of the label.

[0169] According to this embodiment, it is possible to prevent theillegal act in which a third party alters a label illegally and thushides a person who has actually altered the label. As a specificexample, an illegal act can be prevented in which a third party A altersa label illegally from the file 107 labeled “confidential” to a filelabeled “unclassified”, and further sets the settlor ID to the ID ofanother person B to show as if B has changed the security level. In thisway, should the file 107 labeled “confidential” leak outside, theinnocent B is prevented from being persecuted for the act.

[0170]FIG. 14 is a diagram showing a structure of the labeled file 107used in this embodiment. The labeled file 107 includes a label 1701 atthe head thereof, followed by a data hash value 1702, a label signature1703, a file data 1704 and a link signature 1705.

[0171] The data hash value 1702 is that of the file data as of the timepoint when the settlor himself of the security level 202 prepares orcorrects the file 107 or changes the security level 202. The labelsignature 1703 is a digital signature attached by the settlor of thesecurity level 202 for the label 1701 and the data hash value 1702. Thelink signature 1705, on the other hand, is a digital signature attachedby the person who has prepared or changed the file data 1704 for thelabel 1701 and the file data 1704.

[0172] The label signature 1703 guarantees the legitimacy of the label1701, while the link signature 1705 guarantees the legitimacy of thefile data 1704 and the legitimacy of the link between the file data 1704and the label 1701. The use of the label signature 1703 and the linksignature 1705 is effective for the investigation as to where theresponsibility lies for any information leakage which may occur, whileat the same time suppressing the illegal information leakage as theevidence is left. A different confidential key for the signature isdesirably held by each different user.

[0173] This embodiment can be used as an extension of the firstembodiment, in which case the file structure described above is used inand outside the client terminal 101. In the case where this embodimentis used as an extension of the second embodiment, on the other hand, thefile structure is used outside the client terminal 101, while the columnof the data hash value 1702, the label signature 1703 and the linksignature 1705 is added to the security level control list 1400 withinthe client terminal 101, thereby assuring the legitimacy of the labelinformation.

[0174] Now, this embodiment will be explained as an extension of thesecond embodiment of the invention.

[0175]FIG. 15 is a flowchart for performing the process of writing data(file data 1704) into the file 107 according to this embodiment.

[0176] In step 1801, the application program 103 issues a request towrite the data (file data 1704) into the file 107.

[0177] In step 1802, the label management program 109 checks, withreference to the process management list 400 and the security levelcontrol list 1400, whether the security level 402 of the applicationprogram 103 coincides with the security level 202 of the file 107.

[0178] In the case where the security level 202 of the applicationprogram 103 coincides with that of the file 107 in step 1803, theprocess proceeds to step 1806, otherwise the process proceeds to step1804.

[0179] In step 1804, the label management program 109 changes thesecurity level 202 of the file 107 to the security level 402 of theapplication program 103, and further changes the settlor level 203 andthe settlor ID 204. In step 1805, the label management program 109 newlydetermines the data hash value 1702, the label signature 1703 and thelink signature 1705, and then proceeds to step 1808. Under thiscondition, the data hash value 1702 is that of the file data 1704 afterthe change, and the label signature 1703 and the link signature 1705 thesignature of the party requesting to write into the file 107.

[0180] In step 1806, the label management program 109 checks whether thesettlor of the security level 202 of the file 107 coincides with theparty requesting to write into the file 107, and in case of coincidence,the process proceeds to step 1805, otherwise the process proceeds tostep 1807.

[0181] In step 1807, the label management program 109 newly determinesthe link signature 1705, which is the signature of the party requestingto write into the file 107.

[0182] In step 1808, the label management program 109 issues a requestto the file system driver 104 to write the newly acquired one of thedata hash value 1702, the label signature 1703 and the link signature1705 together with the file data 1704 into the file 107.

[0183] In step 1809, the file system driver transmits the data to bewritten into the particular file, to the disk driver, which in turnwrites the data in the magnetic disk.

[0184] An explanation will be made about the process performed at theclient terminal 101 for transmitting the labeled file 107. First, thelabel management program 109 receives a file transmission request fromthe application program 103. Then, the label management program 109converts the file transmission request from the application program 103to the transmission request for the labeled file 107. Specifically, thefile structure transmitted from the client terminal 101 is identical tothe structure shown in FIG. 14.

[0185]FIG. 16 is a flowchart showing the process for performing the filereceive operation at the client terminal 101 according to thisembodiment.

[0186] In step 1901, the label management program 109 receives thelabeled file 107.

[0187] In step 1902, the label management program 109 checks the label1701 of the labeled file 107. In the process, the label managementprogram 109 verifies the legitimacy of the label 1701 based on the labelsignature 1703, and checks for the completeness of the file data 1704and the legitimacy of the link between the file data 1704 and the label1701 based on the link signature 1705.

[0188] From step 1903, the process proceeds to step 1904 in the casewhere the result of the check in step 1902 shows that the label 1701,the file data 1704 and the link between the file data 1704 and the label1701 are correct, otherwise the process proceeds to step 1906.

[0189] In step 1904, the label management program 109 adds the labelinformation of the labeled file 107 to the security level control list1400.

[0190] In step 1905, the label management program 109 delivers thelabeled file 107 to the application program 103.

[0191] In step 1906, the label management program 109 transmits thelabel information of the labeled file 107 to the manager.

[0192] In step 1907, the label management program 109 sends an errormessage to the application program 103.

[0193] Now, the process performed for changing the “confidential”labeled file 107 to an “unclassified” file according to this embodimentwill be explained with reference to FIG. 10.

[0194] In step 1001, the security level change program 108 issues arequest to change the security level 202 of the labeled file 107 from“confidential” to “unclassified”.

[0195] In step 1002, the label management program 109 acquires thesettlor ID 204 of the labeled file 107 from the security level controllist 1400 according to this embodiment.

[0196] In step 1003, it is determined whether the settlor ID 204acquired in step 1002 is coincident with the changer ID of the securitylevel 202. In the case of coincidence, the process proceeds to step1004, otherwise the process proceeds to step 1005.

[0197] In step 1004, the label management program 109 changes thesecurity level 202 of the labeled file 107 to “unclassified”, while atthe same time changing the settlor ID 204 and the settlor level 203.According to this embodiment, the label management program 109 furtherperforms the process for newly acquiring the label signature 1703 andthe link signature 1705.

[0198] The process including and subsequent to step 1005 is similar tothat of the first embodiment. In step 1005, it is determined whether thechanger of the security level 202 is authorized to change the securitylevel 202 or not. In the case where the changer is so authorized, theprocess proceeds to step 1004, otherwise the process proceeds to step1006.

[0199] In step 1006, the label management program 109 delivers an errormessage to the security level change program 108.

[0200] This embodiment is described above referring to a case in whichthe security level 202 is changed from “confidential” to “unclassified”.Nevertheless, the security level 202 can be reduced by the same methodalso in the case where the security level 202 includes three levels.

[0201]FIG. 17 is a flowchart for performing the process of checking thelabel 1701 at the gateway server 118 according to this embodiment.

[0202] In step 2101, the file 107 transmitted outside of the in-houseclient terminal 101 is received.

[0203] In step 2102, the transmission management program 119 checkswhether the label 1701 for the file 107 is present or not.

[0204] In step 2103, the process proceeds from step 2103 to step 2104 inthe presence of the label 1701, otherwise the process proceeds to step2111.

[0205] In step 2104, the transmission management program 119 checks thesecurity level 202 of the labeled file 107.

[0206] In step 2105, the process proceeds to step 2106 if the securitylevel 202 is “unclassified”, otherwise the process proceeds to step2113.

[0207] In step 2106, the transmission management program 119 checkswhether the label 1701 is complete or not. In the process, thetransmission management program 119 verifies the legitimacy of the label1701 based on the label signature 1703, and checks both the completenessof the file data 1704 and the legitimacy of the linkage between the filedata 1704 and the label 1701 based on the link signature 1705.

[0208] From step 2107, the process proceeds to step 2108 in the casewhere the check in step 2106 shows that the linkage is legitimate,otherwise the process proceeds to step 2115.

[0209] In step 2108, the transmission management program 119 removes thelabel 1701, the data hash value 1702, the label signature 1703 and thelink signature 1705 from the labeled file 107.

[0210] In step 2109, the transmission management program 119 transmitsthe file 107 outside.

[0211] In step 2110, the file is transmitted successfully.

[0212] In step 2111, the transmission management program 119 determinesthat the file 107 is illegal data, and sends an error message to thetransmitter terminal.

[0213] In step 2112, the file transmission ends in failure.

[0214] In step 2113, the transmission management program 119 sends tothe transmitter terminal a message to the effect that the security level202 of the labeled file 107 is not “unclassified”.

[0215] In step 2114, the file transmission ends in failure.

[0216] In step 2115, transmission management program 119 sends to thetransmitter terminal a message to the effect that the label of thelabeled file 107 is illegal.

[0217] In step 2116, the file transmission ends in a failure.

[0218] Also, the transmission management program 119 may store all thecontents of the transmitter information and the transmittee informationand the transmission file (the file having the label 1701, the data hashvalue 1702, the label signature 1703 and the link signature 1705) in alog.

[0219] According to this embodiment, in the case where the gatewayserver 118 receives the file 107 transmitted toward the client terminal101 from the external network 121, the receiving management program 120attaches the “unclassified” label to the file 107 and transmits the file107 to the client terminal 101. In this case, the label settlor ID 204is set to the ID of the gateway server 118, and the settlor level 203 isset to the lowest level. Also, the label signature 1703 and the linksignature 1705 constitute the signature by the gateway server 118.

[0220] Further, the receiving management program 120 may store in a logthe transmitter information, the transmittee information of the file 107and all the contents of the received file.

[0221] (Fourth Embodiment)

[0222] A fourth embodiment of the invention will be explained.

[0223] Various application programs 103 operate on a general-purposecomputer. Also, various devices are connected and therefore the devicedrivers for operating these devices are in operation. As a result, inthe case where each of the embodiments described above is implementedwith a general-purpose computer, a bug of the application program 103 orthe device driver and the operating error of the user may cause a changeor a deletion of the label information (the security level control list1400), the label management program 109 and the process management list400. According to this embodiment, such an inconvenience can be avoided.

[0224]FIG. 18 shows an example of a configuration of the client terminal101 according to this embodiment. By replacing this client terminal withthe client terminal 101 shown in FIG. 1 and using each of theembodiments described above, the aforementioned effect of thisembodiment can be achieved.

[0225] Two operating systems are working in the client terminal 101,which has a memory area 2201 managed by the first operating system and amemory area 2202 managed by the second operating system. Further, amulti OS control programs 2204 for controlling the two operating systemsare in operation. A multi OS control technique is disclosed inJP-A-11-149385.

[0226] Also, the memory area 2201 managed by the first operating systemhas loaded therein an application program 103, a security level changeprogram 108, an I/O hook program 2203, a file system driver 104, a diskdriver 105, a protocol driver 110 and a network adapter driver 111.Further, the first operating system manages the magnetic disk 106 andthe network I/F 112, and the file 107 is stored in the magnetic disk106.

[0227] The label management program 109 and the process management list400 are stored in the memory area 2202 managed by the second operatingsystem. Also, the second operating system manages the magnetic disk2205, which has stored therein the security level control list 1400.

[0228] The I/O hook program 2203 hooks the request for access to thefile 107 from the application program 103 or the security level changeprogram 108 or the request for transmission/receiving of the file 107.Further, the I/O hook program 2203 has the function of requesting theprocessing of the label management program 109 and the function ofreceiving the result of processing of the label management program 109and delivering the result of the processing to the file system driver104 or the protocol driver 110. Specifically, the I/O hook program 2203requests the processing of the label management program 109 utilizingthe function of communication between the operating systems of a multiOS control programs 2204. The function of communication between theoperating systems is disclosed, for example, in JP-A-11-85546.

[0229] According to this embodiment, the objects to be protected (labelmanagement program 109, the process management list 400 and the securitylevel control list 1400) are managed by the second operating system, sothat protection is possible from the change due to the bug of theapplication program 103 or the device driver operating on the firstoperating system or the operating error of the user.

[0230] (Miscellaneous)

[0231] According to each of the embodiments described above, not onlythe leakage of the in-house confidential information is prevented butalso the leakage of the confidential information which otherwise mightbe caused by the illegal intrusion through the external network 121 canbe prevented. In the case where an illegal intruder attempts to takeaway a confidential file from the client terminal 101 through thegateway server 118, the transmission management program 119 of thegateway server 118 checks the label of the particular confidential file.In the case where the security level is “confidential”, the transmissionmanagement program 119 rejects the transmission outside and thereforethe leakage of the confidential file can be prevented.

[0232] Also, the label management program 109 can attach a label“Untrusted” on an untrusted program (such as a program accompanying themail) thereby to limit the files accessible.

[0233] Specifically, the “Untrusted” label is attached on a system fileor a set information file of the kernel, so that in the case where the“Untrusted” program accesses a “Trusted” file, the label managementprogram 109 limits the access. This function can be realized by thelabel management program 109 checking the program and the file labelwhen the file is open. By use of this function, the effect that acomputer virus has on the system can be minimized.

[0234] Also, communication can be carried out between the clientterminal 101 and the gateway server 118 by use of a dedicatedcommunication protocol. As a result, a label is attached on the headerarea of each packet, and the transmission management program 119 of thegateway server 118 checks the label in the header area of the packetthereby to determine whether the data can be transmitted or not. In thecase where the dedicated communication protocol is used for transmissionof data to the external network 121, the transmission management program119 removes the label and converts it into a general-purposecommunication protocol (TCP/IP, etc.).

[0235] Also, the labeled file 107 is attached to the file attached tothe electronic mail and transmitted, and the gateway server 121 checksthe label of the file accompanying the mail, thereby making it possibleto prevent the confidential file from leaking outside through electronicmail. As for the text of the mail, the leakage can be prevented bychecking, using the keyword search, to see whether any keyword againstthe policy is included or not.

[0236] Also, a security level is set for each client terminal 101, andfurther an intermediate server is provided between the client terminals101 on the one hand and between each client terminal 101 and each serveron the other, so that the intermediate server may be equipped with thefunction of preventing the leakage of the information. In this case, thelabel need not be attached to the file 107 on the client terminal 101.

[0237] In this case, the intermediate server manages the security levelof each client terminal 101, and determines whether the file 107transmitted by the client terminal 101 is allowed to be transmitted toanother client terminal 101 or another department or group. No label isattached in the case where the intermediate server transmits the file107 directly to the client terminal 101, but the label is attached inthe case where the file 107 is transmitted to the intermediate server ofanother department or group. The intermediate server checks the label ofthe file 107 received from another intermediate server, and whentransmitting the file 107 to the client terminal 101, removes the label.The intermediate server may be arranged for each department or group.

[0238] By doing so, the label management program 109 is not required tobe incorporated in each client terminal 107, thereby making it possibleto save the labor and trouble for introducing the function ofinformation leakage prevention.

[0239] Thus, there is provided a system capable of preventing theleakage of a confidential file having an arbitrary format.

[0240] It should be further understood by those skilled in the art thatthe foregoing description has been made on embodiments of the inventionand that various changes and modifications may be made in the inventionwithout departing from the spirit of the invention and the scope of theappended claims.

1. A network system connected to an in-house network and capable ofcontrolling the transmission, comprising a transmission/receivingterminal having means for transmitting/receiving data and repeater meansfor relaying the data transmitted/received between saidtransmission/receiving terminal and said in-house network: wherein saiddata includes information proper and additional information associatedwith said information proper; and said repeater means includes means forcontrolling the data transmission from said transmission/receivingterminal using said additional information, and means for removing saidadditional information from said data transmissible outside of saidin-house network.
 2. A network system capable of controlling thetransmission according to claim 1, wherein said additional informationincludes information representing the attribute of said informationproper; and wherein said repeater means includes means for holding thetransmission policy corresponding to said attribute, and means fordetermining whether the data to be transmitted by said transmissionterminal can be transmitted in accordance with said transmission policy.3. A network system capable of controlling the transmission according toclaim 2, wherein said attribute is a security level.
 4. A network systemcapable of controlling the transmission according to claim 3, whereinsaid additional information further includes settlor information forsaid security level and hierarchical information of said settlor.
 5. Anetwork system capable of controlling the transmission according toclaim 4, wherein said transmission/receiving terminal includes means forcontrolling the access to said information proper using said additionalinformation, and means for delivering said information proper of saiddata to an application program operating at said transmission/receivingterminal.
 6. A network system capable of controlling the transmissionaccording to claim 4, further comprising means for changing saidadditional information.
 7. A network system capable of controlling thetransmission according to claim 6, wherein said access control meansincludes means for setting the security level of said applicationprogram, and means for determining whether said application program canaccess said data or not, by comparing the security level of saidapplication program with the security level of said data proper, inresponse to a data access request of said application program, and saidmeans for setting the security level of said application program setsthe security level of said application program in accordance with thesecurity level of said data proper before said application programstarts processing said data.
 8. A network system capable of controllingthe transmission according to claim 1, wherein said repeater meansincludes: a transmission permit list of transmittees external to saidin-house network to which said transmission/receiving terminal ispermitted to transmit data; means for encrypting the data to betransmitted by said transmission/receiving terminal; means for receivingthe data to be transmitted by said transmission/receiving terminal;means for determining whether said data is to be transmitted, withreference to said transmission permit list; means for encrypting saiddata of which the transmission is permitted; and means for transmittingsaid encrypted data outside of said in-house network.
 9. A networksystem capable of controlling the transmission according to claim 1,wherein said repeater means includes: means for receiving theinformation transmitted toward said transmission/receiving terminal froma source external to said in-house network; means for mounting theadditional information on said information proper and generating saiddata; and means for transmitting said data to saidtransmission/receiving terminal.
 10. A network system capable ofcontrolling the transmission according to claim 1, wherein saidtransmission/receiving terminal includes a list of additionalinformation for recording the additional information to be added to eachof said information proper, and means for adding said additionalinformation to said information proper at the time of transmitting thedata and at the time of writing the data in removable media andgenerating the data.
 11. A network system capable of controlling thetransmission according to claim 1, wherein said additional informationincludes information representing the security level of said informationproper, a feature value of said information proper, a first digitalsignature for the information indicating said security level and saidfeature value, and a second digital value for the information indicatingsaid security level and said information proper.
 12. A network systemcapable of controlling the transmission according to claim 1, whereinsaid transmission/receiving terminal includes a first operating system,a second operating system and a multi OS control program, said programcontrolling said first and second operating systems, said firstoperating system manages the application program handling saidinformation proper, and said second operating system manages the meansfor controlling the access to said information proper using saidadditional information, and means for changing said additionalinformation.
 13. A network system capable of controlling thetransmission, comprising: an information processing system including afirst storage unit, a second storage unit for reading/ writing data fromand into removable media, means for accessing said first and secondstorage units, and an additional information list containing theadditional information to be added to each of said information proper;and a key management unit for managing an encryption key; wherein saidaccess means includes means for recording the information proper fromsaid first storage unit into said second storage unit; and saidrecording means includes means for determining whether said data is tobe encrypted or not, by referring to the additional information of saidinformation proper recorded in said additional information list, meansfor generating an encryption key in the case where said data can beencrypted, means for encrypting said data using said encryption key,means for registering said encryption key in said key management unit,means for receiving an identifier of said registered encryption key fromsaid key management unit, means for generating data by adding saidadditional information to said information proper, and means forrecording said encrypted data and said identification number in saidsecond storage unit using said encryption key.
 14. A network systemcapable of controlling the transmission, comprising: an informationprocessing system including a first storage unit, a second storage unitfor reading/ writing data from and into removable media, means foraccessing said first and second storage units, and an additionalinformation list containing the additional information to be added toeach of said information proper; and a key management unit for managingan encryption key; wherein said access means includes means forrecording the data from said second storage unit into said first storageunit; said data includes an identifier and encrypted data; saidencrypted data includes an additional information section; saidrecording means includes means for transmitting said identifier to saidkey management unit and receiving the encryption key for thecorresponding one of said encrypted data, means for decrypting saidencrypted data using said encryption key, and means for adding saidadditional information to said additional information list; and said keymanagement unit includes means for receiving said identifier from saidrecording means and transmitting the encryption key associated with saidencrypted data to said recording means.
 15. A network system capable ofcontrolling the transmission, comprising: an information processingsystem including a first storage unit, a second storage unit forreading/ writing data from and into removable media, and means foraccessing said first and second storage units; and a key management unitfor managing an encryption key; wherein said access means includes meansfor recording the data from said first storage unit into said secondstorage unit; said data includes information proper and additionalinformation associated with said information proper; said recordingmeans includes means for determining whether said data is to beencrypted or not, based on said additional information, means forgenerating an encryption key, means for encrypting said data using saidencryption key, means for registering said encryption key in said keymanagement unit, means for receiving the identifier of said registeredencryption key from said key management unit, and means for recordingsaid encrypted data and said identifier into said second storage unit;and said key management unit includes means for receiving saidencryption key from said recording means and transmitting saididentifier associated with said encryption key to said recording means.16. A network system capable of controlling the transmission,comprising: an information processing system including a first storageunit, a second storage unit for reading/writing data from and intoremovable media, and means for accessing said first and second storageunits; and a key management unit for managing an encryption key; whereinsaid access means includes means for recording the data from said secondstorage unit into said first storage unit; said data include anidentifier and encrypted data; said recording means includes means fortransmitting said identifier to said key management unit and receivingthe encryption key for said encrypted data, and means for decryptingsaid encrypted data using said encryption key; and said key managementunit includes means for receiving said identifier from said recordingmeans and transmitting said encryption key associated with saidencrypted data to said recording means.
 17. A network system capable ofcontrolling the transmission according to claim 4, wherein saidtransmission/receiving terminal includes means for changing saidadditional information; and said change means determines whether thesecurity level of said data can be changed, with reference to thesecurity level of the data of said additional information, the settlorinformation of said security level, the hierarchical information of saidsettlor, the changer information of a person intending to change theadditional information of said data and the hierarchical information ofsaid changer.